[squid-users] TR: [Bulk] Re: [squid-users] Certificate Validation problem due to Sha 256 message digest

From: Raphael <jraph_at_jraph.com>
Date: Fri, 12 Dec 2008 14:53:05 +0100

Hi All,

I use Openssl 0.9.8i which manages to check the certificate. I am also able
to get the sha256 digest of a file :
openssl dgst -sha256 /root/openssl-0.9.8i.tar.gz
is working and giving me the message digest.

But I'm not sure as when I list the digests Algorithms I have:
openssl list-message-digest-commands
md2
md4
md5
rmd160
sha
sha1

The same command on the certificate authority gives same entries. And the
machine manages to generate certificates with sha256 message digest
algorithms.

To configure Squid 3 stable 11 RC1 (and other versions) I used :
./configure --bindir=/bin --sbindir=/sbin --enable-ssl
--with-openssl=/root/openssl-0.9.8i
With the sources of Openssl (that I compiled) being in /root/openssl-0.9.8i
The configuration and compilation didn't generate any errors.

When I do openssl speed in all the tests there is a sha256 calculation.

I am posting another message on the Openssl mailing list to see if I miss
something, I will post here any information.

Thanks

Raphaël

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Envoyé : dimanche 7 décembre 2008 05:52
À : Raphael
Cc : squid-users_at_squid-cache.org
Objet : [Bulk] Re: [squid-users] Certificate Validation problem due to Sha
256 message digest

Raphael wrote:
> Hi All,
>
> I am testing Squid as a reverse proxy https checking access with a brand
new
> OpenCA install.
> All is working pretty well except one problem that I cannot get rid of,
I'm
> not really sure the problem is coming from Squid itself.
>
> Here it is : My certificates generated with the Certificate Authority are
> using Sha256 as message digest algorithm. I read that Sha1 will go until
> 2010 and then Sha256 will do the job. The CA certificate will expire in
2036
> so I think it is a good choice.
>
>
> When I check a client certificate together with my CA Openssl (0.8.9i =
> latest) manage to verify it.
>
> openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose
/root/72571934AA.pem
> /root/72571934AA.pem: OK
>
> When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as
> well as Debian stable and testing packages) there is a problem verifying
the
> client certificate (wich is valid) and the connection is rejected. The
> problem seem to come from the Sha256 message digest algorithm.
>
> I am trying to connect with a windows XP SP3 client that should handle
> Sha256 and IE or Firefox gives an error. Firefox says
> ssl_error_decrypt_error_alert.
> On the Squid side I always get the same error :
>
> SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
> clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
> 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
> algorithm (1/-1)

Have you checked that your Squid has been built against an OpenSSL
version which contains that particular algorithm decoder?

That error message is received from the SSL library as-is "0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown mesage digest algorithm"

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
Received on Fri Dec 12 2008 - 13:52:58 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 14 2008 - 12:00:02 MST